diff --git a/ANNOUNCE b/ANNOUNCE index d0af1be35..bcd273543 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.19beta02 - August 18, 2015 +Libpng 1.6.19beta02 - August 19, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -40,7 +40,7 @@ Version 1.6.19beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c -Version 1.6.19beta02 [August 18, 2015] +Version 1.6.19beta02 [August 19, 2015] Moved config.h.in~ from the "libpng_autotools_files" list to the "libpng_autotools_extra" list in autogen.sh because it was causing a false positive for missing files (bug report by Robert C. Seacord). @@ -57,6 +57,12 @@ Version 1.6.19beta02 [August 18, 2015] high level of warnings). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 8eb80ae2b..6ea423bad 100644 --- a/CHANGES +++ b/CHANGES @@ -5320,7 +5320,7 @@ Version 1.6.19beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Fixed uninitialized variable in contrib/gregbook/rpng2-x.c -Version 1.6.19beta02 [August 18, 2015] +Version 1.6.19beta02 [August 19, 2015] Moved config.h.in~ from the "libpng_autotools_files" list to the "libpng_autotools_extra" list in autogen.sh because it was causing a false positive for missing files (bug report by Robert C. Seacord). @@ -5337,6 +5337,12 @@ Version 1.6.19beta02 [August 18, 2015] high level of warnings). Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/libpng-manual.txt b/libpng-manual.txt index b1fffdd0f..44215d55d 100644 --- a/libpng-manual.txt +++ b/libpng-manual.txt @@ -1,6 +1,6 @@ libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19beta02 - August 18, 2015 + libpng version 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -11,7 +11,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015 + libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5312,7 +5312,7 @@ Other rules can be inferred by inspecting the libpng source. XVI. Y2K Compliance in libpng -August 18, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. diff --git a/libpng.3 b/libpng.3 index 2e2f12622..b4b3b05bf 100644 --- a/libpng.3 +++ b/libpng.3 @@ -1,4 +1,4 @@ -.TH LIBPNG 3 "August 18, 2015" +.TH LIBPNG 3 "August 19, 2015" .SH NAME libpng \- Portable Network Graphics (PNG) Reference Library 1.6.19beta02 .SH SYNOPSIS @@ -508,7 +508,7 @@ Following is a copy of the libpng-manual.txt file that accompanies libpng. .SH LIBPNG.TXT libpng-manual.txt - A description on how to use and modify libpng - libpng version 1.6.19beta02 - August 18, 2015 + libpng version 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -519,7 +519,7 @@ libpng-manual.txt - A description on how to use and modify libpng Based on: - libpng versions 0.97, January 1998, through 1.6.19beta02 - August 18, 2015 + libpng versions 0.97, January 1998, through 1.6.19beta02 - August 19, 2015 Updated and distributed by Glenn Randers-Pehrson Copyright (c) 1998-2015 Glenn Randers-Pehrson @@ -5820,7 +5820,7 @@ Other rules can be inferred by inspecting the libpng source. .SH XVI. Y2K Compliance in libpng -August 18, 2015 +August 19, 2015 Since the PNG Development group is an ad-hoc body, we can't make an official declaration. @@ -6141,7 +6141,7 @@ possible without all of you. Thanks to Frank J. T. Wojcik for helping with the documentation. -Libpng version 1.6.19beta02 - August 18, 2015: +Libpng version 1.6.19beta02 - August 19, 2015: Initially created in 1995 by Guy Eric Schalnat, then of Group 42, Inc. Currently maintained by Glenn Randers-Pehrson (glennrp at users.sourceforge.net). @@ -6164,7 +6164,7 @@ this sentence. This code is released under the libpng license. -libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are +libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are distributed according to the same disclaimer and license as libpng-1.0.6 with the following individuals added to the list of Contributing Authors: @@ -6258,7 +6258,7 @@ the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -August 18, 2015 +August 19, 2015 .\" end of man page diff --git a/png.c b/png.c index 541727760..39fa477e6 100644 --- a/png.c +++ b/png.c @@ -774,13 +774,13 @@ png_get_copyright(png_const_structrp png_ptr) #else # ifdef __STDC__ return PNG_STRING_NEWLINE \ - "libpng version 1.6.19beta02 - August 18, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.6.19beta02 - August 19, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE; # else - return "libpng version 1.6.19beta02 - August 18, 2015\ + return "libpng version 1.6.19beta02 - August 19, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; diff --git a/png.h b/png.h index c0f1b9c05..e93b4f2bf 100644 --- a/png.h +++ b/png.h @@ -1,7 +1,7 @@ /* png.h - header file for PNG reference library * - * libpng version 1.6.19beta02, August 18, 2015 + * libpng version 1.6.19beta02, August 19, 2015 * * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) @@ -12,7 +12,7 @@ * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.6.19beta02, August 18, 2015: Glenn + * libpng versions 0.97, January 1998, through 1.6.19beta02, August 19, 2015: Glenn * See also "Contributing Authors", below. * * Note about libpng version numbers: @@ -251,7 +251,7 @@ * * This code is released under the libpng license. * - * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 18, 2015, are + * libpng versions 1.0.7, July 1, 2000, through 1.6.19beta02, August 19, 2015, are * Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, and are * distributed according to the same disclaimer and license as libpng-1.0.6 * with the following individuals added to the list of Contributing Authors: @@ -360,7 +360,7 @@ * Y2K compliance in libpng: * ========================= * - * August 18, 2015 + * August 19, 2015 * * Since the PNG Development group is an ad-hoc body, we can't make * an official declaration. @@ -430,7 +430,7 @@ /* Version information for png.h - this should match the version in png.c */ #define PNG_LIBPNG_VER_STRING "1.6.19beta02" #define PNG_HEADER_VERSION_STRING \ - " libpng version 1.6.19beta02 - August 18, 2015\n" + " libpng version 1.6.19beta02 - August 19, 2015\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -2724,7 +2724,7 @@ PNG_EXPORT(207, void, png_save_uint_16, (png_bytep buf, unsigned int i)); # define PNG_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ + ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \ : (png_int_32)png_get_uint_32(buf))) /* If PNG_PREFIX is defined the same thing as below happens in pnglibconf.h, diff --git a/pngrutil.c b/pngrutil.c index 4927d14dd..a60ee96fe 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -89,7 +89,13 @@ png_get_int_32)(png_const_bytep buf) return uval; uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */